In Identify Risks process you identified all possible risks on the project.
Next logical step is to prioritize them, so that high priority ones are addressed first. Prioritization is done based on probability of occurrence and impact on project objectives if and when they materialize.
This is done in this process called Perform Qualitative Risk Analysis.
Since this is qualitative, to some extent subjective, this can be done with relative ease. Once prioritized, this list then forms as a basis for performing quantitative risk analysis.
Quite evidently, Risk management plan is what we need to consider, as it outlines the processes for qualitative analysis of risks.
Risk register lists all risks to analyze.
Scope baseline contains project scope document and Work Breakdown Structure that help understand about activities. If project involves specialized needs or if it is one-of-a-kind project then expert judgment may become critical in analyzing risks.
Enterprise environmental factors are helpful artifacts such as risk databases or industry studies of similar projects.
While analyzing risks you would need all the help you can get. An ounce of prevention may indeed turn out to be better than a pound of cure later. Organizational process assets may have risk related studies done earlier or lessons learned from similar earlier projects that you can use.
How do we analyze?
Probability and impact matrix is quite simply a tabular representation that assigns a numerical value to every combination of probability value and impact value. This numerical value is arrived at by multiplying probability value and impact value, as shown below. This matrix is expected to be available in organizational process assets.
Risks that have low probability and impact are included in a watch list. This is monitored at regular intervals to see if their probability or impact ratings have changed.
Each risk is prioritized based on the value derived from this matrix, looking at their probability and impact numbers.
Risks that have values from the dark zone in the matrix below will have higher priority, requiring aggressive response strategies.
Figure 1: Sample Probability and Impact Matrix
- Separate Probability and Impact Matrix is used for threats and opportunities
- A separate matrix can be prepared for each of the project objectives such as cost, schedule, quality and scope
- Number of steps in the matrix is determined based on organization’s preferences
Let us look at a simple example –
You are preparing tea for the guests. What are the couple of risks you can think of?
- Sugar added may be more than required, making tea too sweet
- Tea may have over-boiled, making it bitter
Let us assign probability and impact percentages:
Here, Scale is determined by looking up the probability and impact values in the chart and where the intersecting cell falls into – low, medium or high.
Adding excessive sugar is assigned a scale of medium risk and over-boiling tea, high risk.
This could also be due to the fact that, in this simple case, we understand the risk responses: there is a way to correct the mistake in the former case (sweetness lessened by adding milk), but for the second risk the possibility of correction is very less. In this example we even derived the output of another process: Plan Risk Responses.
Risk data quality measurement is about ensuring that the risk data used to assess priorities is accurate. Since this is qualitative assessment the strength of assessment depends on the quality of data used. This assessment is done either by experts, or by project management team by looking at such data from previous projects.
Risk categorization is about grouping risks on some basis. Risks can be categorized based on source, level of impact, root cause, or anything that helps in strategizing effective responses. Categorization helps in coming up with common risk responses that can be applied to multiple risks.
Risk urgency assessment is about figuring out which risks need to be addressed in short term. This can be decided based on the prioritization done using probability and impact matrix.
What’s the impact?
Risk register updates – using each of the tools and techniques above you would have valuable updates to the risk register.
Risk register can be updated with following information –
- Risk prioritization based on probability and impact
- Risk categorization
- Additional information about a risk such as trigger conditions and likelihood of occurrence
- List of risks that need responses in near-future
- List of risks that are low on probability and impact, that can be put on a watch list
- Some risk responses may be discovered while analyzing risks
- List of risks that could not be analyzed for lack of data and are to be considered during Perform Quantitative Risk Analysis process
Assumption logs – more you understand about risks more assumptions will be validated, which can be updated in the assumption logs.